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Abstract 

With increasing popularity of unmanned aircraft, continuous 
monitoring of their systems, software, and health status is 
becoming more and more important to ensure safe, correct, 
and efficient operation and fulfillment of missions. The paper 
presents integration of prognosis models and prognostic in- 
formation with the R2U2 (REALIZABLE, RESPONSIVE, and 
Unobtrusive Unit) monitoring and diagnosis framework. 
This integration makes available statistically reliable health 
information predictions of the future at a much earlier time to 
enable autonomous decision making. The prognostic infor- 
mation can be used in the R2U2 model to improve diagnostic 
accuracy and enable decisions to be made at the present time 
to deal with events in the future. This will be an advance- 
ment over the current state of the art, where temporal logic 
observers can only do such valuation at the end of the time 
interval. Usefulness and effectiveness of this integrated diag- 
nostics and prognostics framework was demonstrated using 
simulation experiments with the NASA Dragon Eye electric 
unmanned aircraft. 

1. Introduction 

For safe and efficient operation and successful fulfillment of 
missions, it is imperative for modern autonomous systems, 
such as unmanned aerial systems (UAS), to detect, in flight, 
if all their components are working in a nominal mode, or 
if there are any faults that might hamper their performance, 
endanger their missions, or even lead to crashes. Hence, con- 
tinuous monitoring of the UAS systems, their software, and 
health status is becoming — even for small UAS — more and 
more important. 

Traditional Fault Detection and Diagnosis (FDD) systems use 
the current system status as provided by on-board sensors to 
detect faults and perform root cause analysis. Many differ- 
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ent FDD systems and approaches exist and are being used 
for commercial and military aircraft, automobiles, or com- 
plex (chemical) plants, e.g., (Frank, 1996). Many diagnostic 
reasoners that are used for on-board diagnostics are oblivi- 
ous of any temporal relationships and strictly focus on the 
current state of the system, or need signal-preprocessing li- 
braries (e.g., TEAMS RT (Mathur, Deb, & Pattipati, 1998)). 
Other systems like FACT (Karsai et al., 2006) allow the 
modeler to specify properties of temporal propagation that 
can be used for diagnosis. For example, if component A 
fails some time after component B and there is structural 
relationship, then the reasoner can deduce from the order 
of the events what actually happened. Again, all infor- 
mation is deduced from the current and past states of the 
UAS. The R2U2 (REALIZABLE, RESPONSIVE, and UNOB- 
TRUSIVE Unit) Framework (Schumann, Rozier, et al., 2013; 
Schumann et al., 2015; Reinbacher, Rozier, & Schumann, 
2014) is a diagnosis framework that combines observers for 
Metric Temporal Logic with Bayesian networks for prob- 
abilistic reasoning and root cause analysis. R2U2 is im- 
plemented in FPGA hardware (Geist, Rozier, & Schumann, 
2014). 

The performance and safety of an electrically powered UAS 
strongly depends on its battery. In most cases, high-powered 
rechargeable cells (e.g., Li-poly type cells) are used to power 
engines, electronics, and payload. When the battery gets de- 
pleted, its voltage starts decreasing and available power to the 
engine might be reduced. This can lead to lower speeds and 
climb rates. If the voltage drops below a certain threshold, the 
flight computer will stop and the UAS will crash. Prognostic 
information that gives a prediction of how much time remains 
before the battery voltage will drop below a certain threshold 
can be very valuable in such scenarios, ensuring even safer 
operation by enabling possible mitigation actions. 

In this paper, we extend R2U2 to incorporate the use of prog- 
nostic models and reasoning information to take future pre- 
dictions of safety and performance into account. This en- 
ables decision making at the present point in time. With this 
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extension, we are able to substantially improve model ex- 
pressiveness with respect to future events. For example, a 
safety rule might say that “f/ie UAS state is only healthy if an 
upcoming climb is performed with enough battery resen’es 
when the climb starts ”, Assuming that the flight plan entails 
a climb in 10 minutes, a temporal encoding of that flight rule 
could be: “ within the next 10 minutes always have a good 
battery .” However, the validity of this formula can only be 
established after 10 minutes, unless the battery becomes de- 
pleted before that. That time, however, in general is too late 
to re-plan the mission. The synchronous R2U2 observers pro- 
vide additional instantaneous information if it is still possible 
(“maybe”) to observe the flight rule, but again, its ultimate 
validity can only be decided after 10 minutes. Our proposed 
extension allows for such a flight rule to be evaluated at the 
current time indicating if the battery will be good in 10 min- 
utes. 

With our novel incorporation of prognostics reasoning into 
the R2U2 framework, we will have information about the ex- 
pected future battery performance at the present time, and the 
system can decide immediately if the flight rule will be vio- 
lated in the future based upon these predictions. Obviously, 
assumptions about the battery performance and the estimated 
load profile are necessary. Using simulation experiments with 
the NASA Dragon Eye unmanned aircraft we will demon- 
strate how the use of an advanced prognostics model for the 
main UAS battery can augment and improve the UAS health 
models. 

The rest of this paper is structured as follows: Section 2 
presents an overview of the R2U2 framework with tempo- 
ral observers and Bayesian reasoning and its realization in 
FPGA hardware. This section also gives an introduction into 
our model-based prognostics architecture. Section 3 focuses 
on the integration of prognostic reasoning into R2U2. In 
Section 4 we present results of simulation experiments with 
a NASA UAS and a prognostics model for battery perfor- 
mance. Section 5 discusses future work and concludes this 
paper. 

2. Background 

In this section we present an overview over the R2U2 frame- 
work with its FPGA implementation and provide an introduc- 
tion into prognostics. 

2.1. The R2U2 Framework 

Developed to continuously monitor system and safety proper- 
ties of an UAS in flight, our real-time R2U2 (Realizable, 
Responsive, and Unobtrusive Unit) framework has been 
implemented on FPGA (Field Programmable Gate Array) 
hardware (Reinbacher et ah. 2014; Geist et ah, 2014). Health 
models within this framework (Schumann, Rozier, et al., 
2013; Schumann et ah, 2015) are defined using Metric Tem- 
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Figure 1. Illustration of MTL operators (from (Schumann, 
Rozier, et ah, 2013)). Time steps and interval boundaries refer 
to ticks of the system clock. 


poral Logic (MTL) and Mission-time Linear Temporal Logic 
(LTL) (Reinbacher et ah, 2014) for expressing temporal prop- 
erties as well as Bayesian Networks (BN) for probabilistic 
and diagnostic reasoning. 

R2U2 models are constructed in a modular way where out- 
puts of sensor discretization and reasoning components can 
be connected to other monitoring and reasoning components 
(Schumann, Rozier, et ah, 2013). An R2U2 model is usually 
specified using a graphical block representation and consists 
of data processing blocks, temporal logic observer blocks, 
and Bayesian diagnostic reasoning blocks. Additional block 
types provide utility functions. 

2.1.1. Temporal Logic Monitors 

LTL and MTL formulas consist of propositional variables, 
the Boolean operators A, V, or -A, and MTL oper- 
ators. For formulas p,g, we have Dp (Always p), 0 p 
(Eventually p), Xp (NextTime p), pUq (p Until q), 
and plZq (pRELEASES q). For MTL, each of the temporal 
operators is accompanied by an upper and lower time bound 
that express the time period during which the operator must 
hold. Figure 1 illustrates the MTL operators: □- 2 _ fi ]p means 
that p must be true at all times between time step 2 and 6 
along the time line (red dots). 0[o,7]P means that p must be 
true at least once in the interval [0, 7]. In Figure 1, p is true at 
t = 7 making that formula true. pU^i ^q signifies that either 
q is true at the beginning of the interval, or else p is true at the 
beginning of the interval and will remain true until a future 
time (here: t = 3) within the interval, when q must be true 
(blue dot). Finally, pHyz^q means that either p A q is true 
at the beginning of the interval or q is true then until a fu- 
ture time within the interval when both are true (purple dot at 
t = 6 in Figure 1). This operator is works like a push-button: 
pressing p triggers event —<<i that “releases q” in the future. A 
detailed definition and semantics can be found in (Reinbacher 
et al., 2014). 

2.1.2. Bayesian Networks for Health Models 

In many situations, temporal logic monitoring might come 
up with several violations of properties. In order to be able 
to disambiguate the root causes, the R2U2 framework uses 
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Figure 2. BN for Health management. Observable nodes are 
shaded. 


static Bayesian Networks (BN) for diagnostic reasoning. BNs 
are directed acyclic graphs, where each node represents a sta- 
tistical variable (Figure 2). BNs are well-established in the 
area of diagnostic and health management (e.g., (Pearl, 1985; 
Mengshoel et al., 2010)). Conditional dependencies between 
statistical variables are represented by directed edges. Local 
conditional probabilities are stored in the Conditional Prob- 
ability Table (CPT) of each node. For example, the CPT of 
node S in Figure 2 defines P(S\U, H_S). 

For our health models, we are using BNs of a general struc- 
ture as shown in Figure 2. Discrete sensor signals or out- 
puts of the synchronous temporal observers (true, false, 
maybe) are clamped to the S (sensor) and C (command) 
nodes. Since a sensor can fail, it has an unobservable health 
node attached. 1 As priors, these health nodes can contain in- 
formation on how reliable the component is, e.g., by using a 
Mean Time To Failure (MTTF) metric. Unobservable nodes, 
U, may describe the behavior of the system or component as 
it is defined and influenced by the sensor or software infor- 
mation. For details of modeling see (Schumann, Mbaya, et 
al., 2013). 

During flight, the posterior probabilities of the BN’s health 
nodes, given the sensor and command values e as evidence 
are calculated at each time step. The probability Pr(H_S = 
good |e) gives an indication of the status of the sensor or com- 
ponent. For on-board real-time reasoning, we use a represen- 
tation of BNs that is based upon arithmetic circuits (AC), as 
these data structures and algorithms provide predictable real- 
time performance (Chavira & Darwiche, 2005; Mengshoel et 
al., 2010). 


2014; Schumann, Rozier, et al., 2013) guarantees minimal 
obtrusiveness of our framework. All monitoring data are 
transferred via a read-only interface into our R2U2 imple- 
mentation that is hosted on an Adapteva Parallella board 2 
mounted on the UAS. 




Figure 3. A: High level system architecture with R2U2. B: 
FPGA architecture. 


Figure 3B shows the major components of the R2U2 monitor- 
ing unit as implemented in the FPGA: the control subsystem, 
the signal processing and filtering system (SP), the runtime 
verification (RV) unit, and the runtime reasoning (RR) unit. 
Continuous signals as obtained via the read-only interface 
are filtered and discretized in the SP unit to obtain streams 
of propositional variables. The RV and RR units comprise 
the proper health management hardware: RV monitors MTL 
properties using pairwise observers defined and proved cor- 
rect in (Reinbacher et al., 2014). After the temporal logic 
formulas have been evaluated, the results are transferred to 
the runtime reasoning (RR) subsystem, where the compiled 
Bayesian network is evaluated to yield the posterior marginals 
of the health nodes (Geist et al., 2014). 

2.3. Prognostics 


2.2. Hardware Implementation 

R2U2 is implemented as a separate hardware component. 
Figure 3A shows the high-level architecture of R2U2 inte- 
grated in a UAS. Controlled by an on-board flight computer 
and the flight software (FSW), the UAS receives measure- 
ments from various sensors (e.g., inertial sensors, GPS, or 
barometric altitude) and commands from the ground control 
station (GCS) and calculates the necessary adjustments of the 
actuators: elevator, rudder, ailerons, and throttle. Our R2U2 
monitor obtains information from sensors and the FSW. In- 
strumentation of the FSW with small footprint (Geist et al., 

1 In contrast, am command input cannot fail and there for does not have an 
associated health node. 


In this section we discuss our developed electro-chemical 
model and battery prognosis framework following the gen- 
eral estimation-prediction framework of model-based prog- 
nostics (Luo, Pattipati, Qiao, & Chigusa, 2008; Orchard & 
Vachtsevanos, 2009; Daigle & Goebel, 2013). Details of 
the specific algorithms are described in (Daigle & Kulka- 
rni, 2013). Similar approaches have been used for prog- 
nosis of pneumatic valves (Daigle, Kulkarni, & Gorospe, 
2014; Kulkarni, Daigle, Gorospe, & Goebel, 2014) and for 
Current/Pressure (I/P) Transducers (IPT) (Teubert & Daigle, 
2013, 2014) Here, we only summarize the formulation of the 
prognostics problem, followed by a brief description of the 
estimation and prediction approach. 

2 http://www.adapteva.com/parallella-board/ 
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2.3.1. Problem Formulation 

We assume the system model may be generally defined as 

x(fc + 1) = f(fc,x(fc), 9(k), u (k),v(tc)), 
y 0) = h(k,x(k),9(k),u(k),n(k)), 

where k is the discrete time variable, x(fc) £ is the 
state vector, Q(k) £ is the unknown parameter vector, 
u(fc) £ K" 1 * is the input vector, v(fc) £ K™ 1 ’ is the process 
noise vector, f is the state equation, y (fc) £ K n! ' is the output 
vector, n(fc) £ K"" is the measurement noise vector, and h 
is the output equation. 3 

In prognostics, we predict the occurrence of an event E that 
is defined with respect to the states, parameters, and inputs 
of the system. We define the event as the earliest instant that 
some event threshold Te : R nx x K" 8 x -A B, where 
B = {0, 1} changes from the value 0 to 1. That is, the time 
of the event k E at some time of prediction kp is defined as 

k E (k P ) = inf {k £ N: k > k P A T E (x(k), 9(k), u (k)) = 1}. 

The time remaining until that event, A k E , is defined as 

A k E {kp) = k E {kp ) — kp. 

For system health management, T E is defined via a set of per- 
formance constraints that define what the acceptable states of 
the system are, based on x(fc), 9{k), and u(fc) (Daigle & 
Goebel, 2013). For batteries, we are interested in end of dis- 
charge (EOD) time, i.e., the time at which the battery voltage 
will deplete below the voltage threshold V E od- 

Models of the system components are constructed in this 
paradigm that capture both nominal behavior, as well as 
faulty behavior and damage progression. Using these mod- 
els, observations can be mapped back to the health state of 
the system as represented in x and 9. An estimation algo- 
rithm, such as the Kalman filter (KF), unscented Kalman fil- 
ter (UKF), or particle filter (PF), is used to solve this prob- 
lem (Daigle, Saha, & Goebel, 2012). In this paper we use the 
UKF. This state-parameter estimate, along with a prediction 
of the future usage of the component, is used as input to a pre- 
diction algorithm that computes the time to EOD. This time is 
known as end of life (EOL), the difference between EOL and 
current time is called the remaining useful life (RUL) (Daigle 
& Goebel, 2013; Daigle, Saxena, & Goebel, 2012). 

2.3.2. Prognostics Architecture 

In our model-based prognostics architecture (Daigle & 
Goebel, 2013), there are two sequential problems, (i) the 
estimation problem, which requires determining a joint 
state -parameter estimate p(x(fc), 9(k)\y(ko'.k)) based on 
the history of observations up to time k, y(ko'-k), and 

3 Bold typeface denotes vectors, and n a denotes the length of a vector a. 


(ii) the prediction problem, which determines at kp , 
using p(x(k),9(k)\y(ko:k)), a probability distribution 
p(k E (kp)\y(ko:kp)). The distribution for A k E can be 
trivially computed from p(k E (kp)\y(ko:kp)) by subtracting 
kp. 

The prognostics architecture is shown in Figure 4. In discrete 
time k, the system is provided with inputs ri/, and provides 
measured outputs y/ c . The estimation module uses this infor- 
mation, along with the system model, to compute an estimate 
p(x(k), 9(k)\y(ko'k)). The prediction module uses the joint 
state-parameter distribution and the system model, along with 
hypothesized future inputs, to compute the probability distri- 
bution p( k E (/,;:/>) | y ( fco : k / > ) ) at given prediction times kp. 

2.3.3. Estimation 

For batteries a detailed physics model of component behav- 
ior using nominal data from the testbed has been developed, 
which is discussed in (Daigle & Kulkarni, 2013). We use 
an unscented Kalman filter (UKF) to obtain the state esti- 
mate from the sensor measurements, as described in (Daigle 
& Kulkarni, 2013). 

Battery Modeling: In order to predict end-of-discharge 
(EOD) as defined by a voltage cutoff, the battery model must 
compute the voltage as a function of time given the current 
drawn from the battery. There are several electrochemical 
processes that contribute to the cell’s potential that make this 
a difficult problem. For the purposes of on-line prognos- 
tics, we focus here on a lumped-parameter ordinary differ- 
ential equations form that still considers the main electro- 
chemical processes. We focus on Li-ion 18650 batteries with 
an average nominal voltage of 4.2V and nominal capacity of 
2200mAh. 

The voltages of a battery are summarized in Figure 5 (adapted 
from (Rahn & Wang, 2013)). The overall battery voltage 
V(t) is the difference between the potential at the positive 
current collector, <f> s ( 0, t), and the negative current collector, 
</> s (L, t), minus resistance losses at the current collectors (not 
shown in the diagram). As shown in the figure, the potentials 
vary with the distance d £ [0, L\, because the loss varies with 
distance from the current collectors. The details of the battery 
model are discussed in (Daigle & Kulkarni, 2013). 

State of Charge: State of Charge (SOC) of a battery is con- 
ventionally defined to be 1 when the battery is fully charged 
and 0 when the battery is fully discharged. In this model, it 
is analogous to the mole fraction x n , but scaled from 0 to 
1. There is a difference here between nominal SOC and ap- 
parent SOC. Nominal SOC would be computed based on the 
combination of the bulk and surface layer CVs in the neg- 
ative electrode, whereas apparent SOC would be computed 
based only on the surface layer. That is, a battery can be 
discharged at a given rate, and reach the voltage cutoff, i.e.. 
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Prognostics 



Figure 4. Prognostics architecture (see (Daigle & Goebel, 2013)) 


apparent SOC is then 0. But, once the concentration gradi- 
ent settles out, the surface layer will be partially replenished 
and the battery can be discharged further, i.e, apparent SOC 
increases whereas nominal SOC remains the same. 


Nominal (n) and apparent (a) SOC can then be defined using 


SOC n 

SOC a 


Qn 

0.6 g max 

Qs,n 

0 . 6 ( 7 ™“®"’* ’ 


(1) 

( 2 ) 


where g max ®.’* = gmaxy^ The factor 1/0.6 comes from the 
fact that the mole fraction at the positive electrode cannot go 
below 0.4 (Daigle & Kulkarni, 2013), therefore SOC of 1 
corresponds to the point where q n = 0.6g maXs rl . 

Battery Voltage: Now that each of the voltage drops in Fig- 
ure 5 have been defined, battery voltage can be expressed as 
follows. 


V = V v , p - V u>n -V a - V v , p - V v , n . (3) 

Voltages in the battery are not observed to change instanta- 
neously, i.e., the voltage change occurs smoothly. When dis- 
charge completes, for example, the voltage rises slowly as 
the surface layers move to the concentrations of the bulk vol- 
umes, as caused by diffusion. In addition to this, there are 
transients associated with V Q and the V., h i terms. To take this 
into account in a simple way, we compute voltage using 

V = V UtP - V Utn - V' 0 - V' tp - (4) 

where 

K = {Vo - V')/To ( 5 ) 

Kp = {Vrup ~ K tP )/Tr,, P ( 6 ) 

Kn = ( V v ,n - V' >n )/T v>nt ( 7 ) 

where the r parameters are empirical time constants. 

The model contains as states x, g SjP , gf, )P , gb jn , q 8>n , V' 0 , V pp , 
and V p n . The single model output is V. 



Figure 5. Battery voltages. 


<t>s(L,t) 


SOC, as computed by the UKF, and expected future load, we 
can then quickly compute the corresponding time of EOD. 

2.3.5. Application to Prognostics 

With an accurate model and known future inputs to a system, 
prognostics should in turn be accurate. We use the architec- 
ture described in Section 2.3. As an estimation algorithm, 
we use the unscented Kalman filter (UKF) with the battery 
model; see (Julier & Uhlmann, 1997, 2004) for details on 
the filter and (Daigle, Saha, & Goebel, 2012; Daigle, Sax- 
ena, & Goebel, 2012) for its application to prognostics. The 
UKF operates on a set of deterministically selected samples, 
called sigma points , that are used to represent the joint state- 
parameter distribution p(x(k), d(k)\y(ko:k)). 

For the prediction algorithm, we perform a simple simulation 
as described in (Daigle & Goebel, 2013). Each sigma point 
is simulated forward using the model until EOD is reached; 
from the corresponding EODs for each sigma point we can 
construct the EOD distribution. In this work, we assume that 
the future inputs (i app ) are known, so the only uncertainty 
present in the prediction is that related to the model. A de- 
fined cutoff voltage is assumed to define EOD. 


2.3.4. Prediction 

For the batteries, we simulate for various state of charge 
(SOC) values and load values the corresponding remaining 
time until discharge, and compute a lookup table. Given the 


3. Approach 

We integrate prognostics capabilities into our R2U2 frame- 
work by defining a new type of model block (Figure 6). It 
is provided with the analog input signals for battery volt- 
age Ubatt and current / t, att and produces values for RUL and 
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SOC. Prognostics blocks for other system components look 
similar. The prognostics engine can also be provided with 
prognosis time t, a planned load profile V, and prognostics 
model A4. We can use the outputs of the prognostics mod- 



Figure 6. R2U2 Prognostics Block 

ule in different ways: a model-based accurate estimate of the 
battery state at the current time. Because SOC is a statisti- 
cal variable with a probability density, we use ^ oc for the 
expected value and a soc for the standard deviation. These 
values [IRC: Something is missing here!!], although no pre- 
dictions give more insight into the actual condition of the bat- 
tery than just battery voltage. 

The RUL prediction itself is calculated via A ksikp). We de- 
note V,M] for the expected value for the battery’s 

RUL in t time-stamps from now. The load-profile V can be 
obtained from the flight computer by reading the list of up- 
coming way-points. There can be substantial uncertainty in 
the prediction because of unmodeled and unpredictable exter- 
nal effects like wind. Finally, Ai is the battery’s prognostic 
model. For convenience, we introduce ^ UL [f] for a standard 
expected load profile and /if r/L for an RUL prediction at the 
current time. Those expressions use a nominal battery model. 

In the following, we discuss a number of safety and perfor- 
mance properties that actively use the prognosed values of the 
main battery of the UAS. Most R2U2 health models consist 
of Boolean and temporal observers to monitor value ranges, 
relationships, and flight rules. Value checks test whether data 
values are plausible and relationships encode dependencies 
among sensor or software data that may originate from differ- 
ent subsystems. Flight rules are defined by institutions (e.g., 
the Federal Aviation Administration) or are rules that must be 
obeyed for mission- or system-specific reasons. 

3.1. Value Checks 

VI: Always have enough battery. 

□ (/if oc > 50) 

requires that the battery always has a charge of at least 50% 4 . 
This formula continuously monitors the actual battery state 
at each point in time during the flight. This threshold will 
certainly vary depending on the mission profile. Such con- 
straints can be easily formulated in logic. For example, a 

4 Note that this number has been arbritrarily chosen for illustration purposes. 


loaded UAS should have its batteries charged to a minimum 
of 80%: isioaded -A D(/j,^ oc > 80). We might require that 
the battery will be charged at the end of the flight t en d , given 
the current set of way-points V, and we want to know it now: 

db UL [tend,V } 

provides this information. Note that although the formula 
has a clear temporal meaning, it is not expressed in tempo- 
ral logic. 

V2: The above formula can be refined to monitor for safe op- 
eration in specific scenarios: for a safe takeoff and subsequent 
mission, the battery must be charged to at least 80% 

□ (-i((cmd == takeoff) A (/rf 00 < 80)) 

V3: The maximum current that can be drawn from the battery 
is, of course, always limited: < 100A). However, an 

already substantially discharged battery should not be over- 
burdened. For example, for the remaining 10 minutes before 
the end of RUL, only 30A should be drawn. Several levels of 
maximum allowable current, depending on the battery’s RUL 
can be specified by: 

D(^ UL > 100m) V I batt < 100A) V 
□(a <-b UL > 50to ) V Ibatt < 50A) V 

□ > 10to ) v J batt < 30A) 

Here again, multiple versions with different battery models 
might be of interest. A safety rule might restrict the amount 
of current to be drawn even further based on a battery model 
that performs predictions of an overheated battery. 

V4: don’t draw too much current if you are unsure about the 
charge status of the battery 

□ H(af oc > 10) A ( I eng > 50A))) 

V5: Do not heat up the battery as a result of extended use 
if it is close to empty. If the battery is charged to only 50% 
or less, a current of more than 30/1 should not be drawn for 
more than 30 consecutive seconds: 

□ ((/z£ oc < 50) -A (I batt > 30A)AA[ O ,29s ] (Ibatt < 30 A)) 

V6: This property monitors that the landing command is is- 
sued before the battery reaches a dangerous low level of 20% 
or less. Here again, the temporal operators cannot work with 
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non-constant intervals, so we discretize into several ranges: 

□ ( g^ UL < 1000 -A 0 [ 0 , 1000 ] {cmd == landing )) V 

□ (/z ^ UL < 500 0[o,50o] {cmd == landing )) V 

□ ( g^ UL < 100 -A {)[o,ioo] {cmd == landing)) V 

3.2. Relationships 

These properties relate signals from different sensors. Here 
again, rules can be different depending on the state of that 
battery. For these examples and our simulation experiments, 
we assume that the throttle value just regulates the motor cur- 
rent I eng , but not engine power or its speed (RPM). With 
such a simple controller (mostly found in small hobby-style 
UAS), the motor RPM will decrease if the battery becomes 
discharged and Ubatt drops. 

Rl: Pitching up should result in a strong climb 

□(□[o,2o.] ((« > a o) A (g^ oc > 80)) 0 [o, 2 s]Kz > 10) 

For weaker battery the available engine power is lower and 
thus we cannot expect the same climb speed. We obtain 

□(□[0,20s] ((ct > CKo) A {Hb OC > 30)) — > 0[0,2 s]Vz > 2) 

3.3. Flight Rules 

Flight rules can be complex formulas that must be valid for 
the UAS to be in a safe and healthy state and to accomplish 
the mission successfully. They might concern certain mini- 
mal performance rules or behavior in specific situations, e.g., 
a certain loitering altitude should be reached in case the com- 
munication link is lost and wait for the communication to be 
re-established. Some of the flight rules depend on state of 
the battery. For example, loitering should be attempted only 
if the battery will have power for at least 5 more minutes of 
flight. If the battery is too weak, the only safe alternative is to 
immediately attempt an emergency landing. 

FI: This flight rule checks on availability of enough battery 
power for an upcoming climb in lOmin. As discussed in Sec- 
tion 1, we want to be able to decide immediately if the flight 
rule is violated or not. Figure 7 shows this nominal situation 
at time t. The blue line corresponds to the future development 
of the altitude with a climb in 10 minutes. A naive formula- 
tion in MTL as D^ w ^(battery == OK) is not suitable here 
(green line), because the formula is false until t = t + 10 min. 
Only then, the formula can be decided, in our nominal case, 
to be true. A black triangle depicts the point when the for- 
mula is decided. Even the R2U2 synchronous observer only 
can obtain a “maybe” for the next 10 minutes (red line). By 
using the prognostics engine, this flight rule can be encoded 
as 

(llb UL > 30) A ( tdimb ~ t > 10) 


where tdimb is the planned time of the next climb as obtained 
from the list of waypoints in the FSW. This formula can be 
decided right away (magenta in Figure 7). Alternatively, this 
formula can be written as n^ UL [ 10] > 30. 



4. Experiments and Results 

4.1. The UAS Testbed 

For this paper, we consider a simple and small UAS plat- 
form, the NASA Dragon Eye (Figure 8A). With a wingspan 
of 1. lm it is small, but shares many commonalities with larger 
and more complex UAS. Our R2U2 framework has been 
implemented on an Adapteva Parallella board. This credit 
card sized board features a Zync 7010 FPGA and is run- 
ning Linux, which facilitates preprocessing of signals, run- 
ning the prognostics engine, and perform data logging. For 
our experiments, we also performed the BN reasoning under 
Linux. Monitoring of the FSW is performed according to the 
schematics shown in Figure 3. Figure 8B shows the integra- 
tion of the Parallella board, located in one of the wings. 


B 

Figure 8. A: Dragon Eye UAS. B: Hardware integration of 
R2U2. 

For the experiments presented in this paper, we used a simula- 
tion environment that is based on the APM:Plane simulator 5 . 
As shown in Figure 9 the UAS is controlled by the opera- 
tor using a ground control station (GCS). The environment, 
the aircraft dynamics 6 , motors, sensors, and the flight com- 
puter is simulated in software running on a host PC. Moni- 
tored FSW data are collected from the simulator and sent to 
the Parallella board via a serial interface (FDTI cable), where 
monitoring and diagnosis is performed. These data are also 
recorded for replay purposes. Since this simulator does not 
contain any suitable battery model, we are using a MACCOR 
battery test stand which is able to simulate the flight path for 

5 http : / / plane . ardupilot . com 

6 JSBSim Flight Dynamics Model jsbsim. sourcforge . net 
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host PC 


Figure 9. High level system architecture with R2U2 


the DragonEye. In the MACCOR we simulate the batteries 
based on the path scenario in Figure 10. The data collected 
from the MACCOR testbed is feed to the simulator which in 
turn runs the prognostics algorithm. In our simplified setting, 
battery model takes throttle position and returns current val- 
ues of U batt and I batt . 


4.2. Simulation experiments 

In this section, we illustrate our approach with some simula- 
tion experiments. Figure 10 shows a typical example. The 
UAS is taking off from altitude 0 and reaching, after a short 
climb, an altitude of 200ft (Figure 10, top panel). It then 
flies a level course before descending to 100ft at time stamp 
600. A final climb, starting at time stamp 850 brings the UAS 
back to 200ft altitude. The throttle settings, necessary to ex- 
ecute this profile is proportional to the battery current Ibatt 
and shown in Figure 10, 2nd panel from top. The battery 
voltage drops when a large current is drawn, e.g., during the 
climb. During the descend, when only very little engine cur- 
rent is drawn, the battery can recover and the voltage slightly 
increases. Figure 10, 3rd panel from top shows Ubatt for 
a fully charged battery (green) and a battery that only had 
been charged to 50% (red line). With both values, the current 
and the voltage, the prognostics engine calculates an RUL 
for the battery at each point in time. As a safety threshold, 
we use 6 = 1000. Finally, the bottom panel shows the out- 
put of the R2U2 unit for different formulas related to flight 
rule FI: according to the flight plan, a climb will be neces- 
sary at t = 850 (dashed magenta line). At time stamp 250, 
we want to ask if the battery is still good to do that climb. 
The top row shows the valuation of asynchronous observer 
for □[ 250 , 850 \t i b' UL > 0- This formula can only become true 
after the interval has been expired. The green line shows 
this situation for the good battery. The RUL of weak bat- 
tery, crosses the threshold at around 500 time stamps. After 
that time, the formula remains false. Thus, the result of this 
formula can only be used after time stamp 850, usually too 
late to start any mitigation action. The second line shows the 
result of the synchronous observer for the same formula. At 
the beginning its value is “maybe” until the final value can be 
determined: at t = 850 for the good battery and at t = 500 
for the weak one. Here, this three-valued observer allows us 
to obtain information earlier. The bottom lines show the val- 
uation of the prognostics-based formula fib UL (850) > 0 for 
both scenarios. This formula is valuated immediately and the 
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titude profile, Ibatt , Ubatt , Hb UL , and valuations (at 
t = 250) of asynchronous and synchronous observers for 
□[ 250 , 850 ] OKbatu and /rf c/i (850) > 1000 for a fully 
charged battery (green) and one charged to 50% (red). 



Figure 11. Bayesian Network for altimeter health model 


result can be used to start a necessary mitigation action earlier 
than with temporal logic alone. 

4.3. Prognostics for Root Cause Analysis 

For this experiment we assume that the UAS is equipped with 
a barometric altimeter (BA) and a laser altimeter (LA). Both 
sensors measure the altitude of the aircraft but can fail in 
different ways. We want to construct a probabilistic health 
model to reason about the health of these sensors. 

Our BN model in Figure 1 1 does not reason about actual al- 
titude measurements but rather uses an abstracted indication 
of increasing or decreasing altitude, noted as Up and DOWN. 
Observable sensor nodes for BA and LA (Figure 1 1 bottom, 
left) are clamped to these values based upon the information 
extracted from the flight software. The health of each of the 
sensors is reflected in the nodes HXaseralt and H_Baroalt 
with states Good and Bad (Figure 1 1 top). 

The priors of these nodes indicate the reliability of each of 
the sensors (see below). Each of the sensors should mea- 
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Table 1. CPT Table for BN in Figure 1 1 


H_Baroalt 

Good 

Bad 

U.Climb 

Up 

Down 

Up 

Down 

S_Baroalt=UP 

1 

0 

0.5 

0.5 

S_Baroalt=DoWN 

0 

1 

0.5 

0.5 


U -Climb .engine 

Up 

Up 

S_SoC=High 

0.85 

0.15 

S_SoC=Low 

0.5 

0.5 


sure the same entity and thus should show the same behavior 
with respect to UAS climbs and descents. This is modeled by 
the unobservable behavior node U climb, which influences 
both sensors. If both sensors show the same behavior (e.g., 
Up,Up), the sensors are most likely healthy. Divergent be- 
havior might indicate a problem with either sensor. Table 1 A 
shows the CPT for BA sensor node S_Baroalt (the CPT table 
for the LA sensor has the same structure). The CPT table de- 
notes that a healthy sensor follows the climb behavior (center 
columns). If the sensor is broken, however, probabilities are 
0.5, so nothing can be deduced (right columns). 

We now need to address the question on how to find the root 
cause with divergent sensor readings. In our model, we pull 
in additional information related to climb or descend behavior 
of the UAS. This behavior is, in particular, related to the ques- 
tion whether an engine-induced climb is happening. This be- 
havior U_Climb_engine is unobservable as well. An engine- 
induced climb can only happen if a climb command has been 
initiated by the FSW (C Climb init is set to Up). In addi- 
tion, the current state of the battery plays an important role: if 
the battery is fully charged (S_SoC is High), a commanded 
climb will result in the aircraft gaining altitude, something 
that cannot be guaranteed when the battery is already weak. 
Here, we need to use probabilistic reasoning, because other 
effects like down-drafts can play a major role. The CPT 
for this node is shown in Table IB. A good battery will re- 
sult in a climb in 85% of the cases: p(U_climb_engine = 
Up|S_SoC = High) = 0.85. A weak battery is modeled as 
p(\] climb engine = Up|S SoC = Low) = 0.5. Note that 
there is also an edge connecting S SoC with HXaseralt. This 
edge models the effect that the LA might be less reliable and 
accurate when the battery is weak. In our model, the BA is 
reliable to 95%, whereas the LA is only 90% reliable if the 
battery is good. Otherwise, the probability for a healthy LA 
drops to 0.6. 7 

Figure 12 shows the BN in a number of different situations. 
Observable nodes are colored red for Down and Low, and 
green for Up and High, respectively. The marginal proba- 
bilities of the behavior and health nodes are shaded in dif- 
ferent levels of grey, where white indicates a probability of 
one. In a nominal scenario (Figure 11) with sensor input con- 
sistent to climbing, both sensors appear to be healthy. Fig- 
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7 The probabilities used in this example have been selected for illustration 
purposes only. 


Figure 12. Bayesian Network for altimeter health model in 
various scenarios. See text for details. 


ure 12A shows a nominal situation when the UAS is descend- 
ing. Note that both unobservable behavior nodes now have 
status Down with high probability. A failing barometric al- 
timeter can be detected easily as such during descending (Fig- 
ure 12B) and climbing (Figure 12C) when the battery is fresh. 
If we get the same altitude sensor readings, but the battery is 
weak (Figure 12D), a different picture emerges: the model is 
aware that commanded climbs with a weak battery often do 
not result in an increasing altitude, because the engine doesn’t 
receive enough power. In addition, the LA is less reliable with 
a weak battery. Therefore, the BN reasons that, despite two 
other disagreeing sources, the BA is most likely in a better 
shape than the LA. 

5. Conclusions 

In this paper we presented the integration of prognostics rea- 
soning into the R2U2 temporal and Bayesian health manage- 
ment framework. We used a UKF-based prognostics engine 
to provide SOC and RUL prognoses for the battery of a UAS. 
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This information can be used in the R2U2 model to improve 
diagnostic accuracy. Most notably, prognostic information 
allows the monitor to instantaneously evaluate at the present 
time step the properties dealing with events in the future (e.g., 
a climb in 10 minutes). Temporal logic observers can only 
do that valuation at the end of the time interval, or only pro- 
vide minimal information (maybe). Thus, statistically reli- 
able health information is available at a much earlier time, a 
capability that is very valuable for safe autonomous decision 
making. 

The presented work is only a first step toward full integration. 
Future work will investigate how the probability densities of 
the prognostics outputs can be directly used by a Bayesian 
network with sensor nodes capable of handling discretized 
probability density functions. Also the use of multiple mod- 
els for nominal and off-nominal battery conditions and fault 
progression might improve fault detection and diagnostic rea- 
soning in advanced R2U2 health models. Furthermore, we 
will aim to implement the prognostics engine in FPGA hard- 
ware (see e.g., (Soh & Wu, 2014) for a possible approach). 
For monitoring safety and performance of a UAS, we would 
also like to evaluate the usefulness of information from other 
components of the UAS (e.g. engine, or other structural com- 
ponents) as well as environmental effects (e.g., icing) or oper- 
ational performance (e.g., reliability of a radio link in differ- 
ent weather conditions) for prognosis. Such additional infor- 
mation might be amenable to prognostic modeling and sub- 
sequent integration into R2U2 health models. 

Nomenclature 


,,RUL 

Pb 

mean of RUL for battery 

„ RUL 
a b 

std of RUL for battery 

,,SoC 

Pb 

mean of SoC for battery 

a So° 

std of SoC for battery 

v z 

vertical velocity 

soc 

state of charge of battery [%] 

RUL 

remaining useful life 

EOD 

End of Discharge 

EOL 

End of Life 

H_X 

BN health node for component X 

U 

BN behavior node 
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